Cases of DDOS detection and attack prevention in CENTOS

How to check whether the CENTOS server is under DDOS attack

Log on to your server and run the following command as the root user to check whether your server is under DDOS attack:
Netstat-anp | grep 'tcp \ | udp' | awk '{print $5}' | cut-d:-f1 | sort | uniq-c | sort-n
This command displays the list of the maximum number of IP addresses that have been logged on to the server.

DDOS becomes more complex, because when attackers use fewer connections and more IP addresses to attack servers, you get fewer connections, even if your server is attacked. It is important to check the active connection information of your server and execute the following command:
Netstat-n | grep: 80 | wc-l
The above Command will show all the active connections that open your server.

You can also use the following command:
Netstat-n | grep: 80 | grep SYN | wc-l
The results of the valid connection from the first command will be different, but if it shows that the connection exceeds 500, then there will certainly be a problem.

If the result of the second command is 100 or above, the server may be attacked synchronously.

Once you get a list of IP addresses that attack your server, you can easily block it.

The command below is homogeneous to block IP addresses or any other specific IP addresses:

Route add ipaddress reject

Once you organize access from a specific IP address on the server, you can check that the bean curd blocking is effective.

Run the following command:

Route-n | grep IPaddress

You can also use the following command to block a specified IP address using iptables.

Iptables-a input 1-s IPADRESS-j DROP/REJECT

Service iptables restart

Service iptables save

After the preceding command is executed, stop the httpd connection and restart the httpd service.

Run the following command:

Killall-KILL httpd

Service httpd startssl


DDOS attack prevention



Sysctl-w net. ipv4.icmp _ echo_ignore_all = 1
Echo 1>/proc/sys/net/ipv4/tcp_syncookies
Sysctl-w net. ipv4.tcp _ max_syn_backlog = "2048 & Prime;
Sysctl-w net. ipv4.tcp _ synack_retries = "3 & Prime;
Iptables-a input-I eth0-p tcp-syn-j syn-flood
# Limit 12 connections per second (burst to 24)
Iptables-A syn-flood-m limit-limit 12/s-limit-burst 24-j RETURN

You can try this:

Iptbales-a forward-p tcp-syn-m limit-limit 1/s-j ACCEPT

VM service providers may be attacked by hackers during operation. Common attacks include SYN and DDOS attacks.

By changing the IP address, it is possible to find the attacked site to avoid the attack, but the service interruption takes a long time. A thorough solution is to add a hardware firewall. However, hardware firewalls are expensive. You can consider using the firewall function provided by the Linux system to defend against attacks.

1. Resist SYN

SYN attacks use the three-way handshake principle of the TCP/IP protocol to send a large number of network packets that establish connections, but do not actually establish connections. As a result, the network queue of the attacked server is full, cannot be accessed by normal users.

The Linux kernel provides several SYN-Related configurations. Run the following command:

Sysctl-a | grep syn

See:

 

Net. ipv4.tcp _ max_syn_backlog = 1024
Net. ipv4.tcp _ syncookies = 0
Net. ipv4.tcp _ synack_retries = 5
Net. ipv4.tcp _ syn_retries = 5
Tcp_max_syn_backlog is the length of the SYN queue, and tcp_syncookies are a function to determine whether to enable SYN cookies.

Function to prevent some SYN attacks. Tcp_synack_retries and tcp_syn_retries define the number of retries of SYN.

Increasing the SYN queue length can accommodate more network connections waiting for connection. Enabling the SYN Cookie function can prevent some SYN attacks and reduce the number of retries.

To adjust the preceding settings, follow these steps:

Increase the SYN queue length to 2048:

Sysctl-w net. ipv4.tcp _ max_syn_backlog = 2048

Enable the syn cookie function:

Sysctl-w net. ipv4.tcp _ syncookies = 1

Reduce the number of retries:

Sysctl-w net. ipv4.tcp _ synack_retries = 3

Sysctl-w net. ipv4.tcp _ syn_retries = 3

To maintain the preceding configuration during system restart, add the preceding command to the/etc/rc. d/rc. local file.

 

Netstat tool to detect SYN attacks
# Netstat-n-p-t
Tcp0 0 10.11.11.11: 23124.173.152.8: 25882 SYN_RECV-
Tcp0 0 10.11.11.11: 23236.15.133.204: 2577 SYN_RECV-
Tcp0 0 10.11.11.11: 23127.160.6.129: 51748 SYN_RECV-
...
In LINUX, many connections are in the SYN_RECV state (SYN_RECEIVED state in WINDOWS ),
The source IP addresses are random, indicating a SYN attack with IP spoofing.
# Netstat-n-p-t | grep SYN_RECV | grep: 80 | wc-l
324
Check the number of unconnected queues of a certain terminal in LINUX, and the number of connections of TCP terminal 22 is 324,
Although it is far from reaching the system limit, it should be noticed by administrators.
[Root @ pub wxjsr] # netstat-na | grep SYN_RECV
Tcp 0 0 58.193.192.20: 80 221.0.108.162: 32383 SYN_RECV
Tcp 0 0 58.193.192.20: 80 125.85.118.231: 2601 SYN_RECV
Tcp 0 0 58.193.192.20: 80 222.242.171.215: 2696 SYN_RECV
Tcp 0 0 58.193.192.20: 80 116.52.10.51: 2629 SYN_RECV
Tcp 0 0 58.193.192.20: 80 218.171.175.157: 1117
[Root @ pub wxjsr] # netstat-na | grep SYN_RECV | wc
11 66 979
View System SYN-Related configurations
The Linux kernel provides several SYN-Related configurations. Run the following command: sysctl-a | grep syn.
[Root @ metc apache2] #/sbin/sysctl-a | grep syn
Net. ipv6.conf. default. max_desync_factor = 600
Net. ipv6.conf. all. max_desync_factor = 600
Net. ipv6.conf. eth0.max _ desync_factor = 600
Net. ipv6.conf. lo. max_desync_factor = 600
Net. ipv4.netfilter. ip_conntrack_tcp_timeout_syn_recv = 60
Net. ipv4.netfilter. ip_conntrack_tcp_timeout_syn_sent = 120
Net. ipv4.tcp _ max_syn_backlog = 1280
Net. ipv4.tcp _ syncookies = 1
Net. ipv4.tcp _ synack_retries = 2
Net. ipv4.tcp _ syn_retries = 5
Fs. quota. syncs = 18
Anti-SYN attack settings
# Shorten the SYN-Timeout Time:
Iptables-a forward-p tcp-syn-m limit-limit 1/s-j ACCEPT
Iptables-a input-I eth0-m limit-limit 1/sec-limit-burst 5-j ACCEPT
# The maximum number of syn packets per second is expressed:
Iptables-N syn-flood
Iptables-a input-p tcp-syn-j syn-flood
Iptables-A syn-flood-p tcp-syn-m limit-limit 1/s-limit-burst 3-j RETURN
Iptables-A syn-flood-j REJECT
# Set syncookies:
Sysctl-w net. ipv4.tcp _ syncookies = 1
/Sbin/sysctl-w net. ipv4.tcp _ max_syn_backlog = 3000
/Sbin/sysctl-w net. ipv4.tcp _ synack_retries = 1
/Sbin/sysctl-w net. ipv4.tcp _ syn_retries = 1
Sysctl-w net. ipv4.conf. all. send_redirects = 0
Sysctl-w net. ipv4.conf. all. accept_redirects = 0
Sysctl-w net. ipv4.conf. all. forwarding = 0
/Sbin/sysctl-w net. ipv4.icmp _ echo_ignore_broadcasts = 1
/Sbin/sysctl-w net. ipv4.conf. default. accept_source_route = 0 # Disable the icmp source route option
/Sbin/sysctl-w net. ipv4.icmp _ echo_ignore_broadcasts = 1 # ignore icmp ping broadcast packets. Enable
/Sbin/sysctl-w net. ipv4.icmp _ echo_ignore_all = 1 # Ignore All icmp ping data and overwrite the previous